Virus Name: OUTLOOK_EXPRESS.GoldenBoy.Intended Author: Zulu Origin: Argentina Intended VBScript email virus. When reading the email message having the HTML and VBScript code, it tries to create a file ("TEMP.HTA") in startup directory by using a bug in Internet Explorer 5.5 which was discovered by Georgi Guninski. This bug is different from the one I used in OUTLOOK.BubbleBoy, but I used the same object to create the file in startup directory (english Windows' versions only), that's why that file has some garbage characters like OUTLOOK.BubbleBoy. When run, the HTA file will create a new signature in OUTLOOK EXPRESS and it will set that signature as default for all outgoing messages. It will also make HTML messages the default mail format, so the new invisible HTML signature (invisible because it has no visible text in it) will be send in all written messages, this is the way the virus spreads. The problem that the virus has is that the bug code (a variation of Guninski's code, for example, not using an applet tag) is working in HTML files but not in HTML email messages. So the only way of making the virus work is to manually open "FOLDER.HTML" which is created by the HTA file and it's the HTML signature file used by OUTLOOK EXPRESS. Since I was unable of solving this problem and writing this virus was not fun anymore, I decided to release it as "Intended". I also found other problems when writing it, for example, first I thought in making it work in OUTLOOK EXPRESS using the already explained method and also in OUTLOOK by sending empty emails to addresses found in the address book. But a limitation in OUTLOOK EXPRESS signatures' size made my idea not possible and I had to remove the whole OUTLOOK code. Other reason of why releasing this virus even that it doesn't work is that what is not working is the bug code, the main code is fine, so this could be used in any other email virus by using other bug. Also, this code is very simple and is in VBScript instead of JScript like Kak (the first virus using email signatures for spreading), so it could be helpful for understanding how this method works. Thanks: - Evul: for telling me where the default identity was stored in the registry. - Georgi Guninski: for discovering the bug that is used by the virus. - Testers: I requested for testers for this virus but then I realized that it won't work no matter the Internet Explorer version I tested, so I never sent a copy of it to any of the people that answered my request. So thanks and sorry to all of those people who sent messages wanting to test the virus, this includes Aran, Beamz, BlackCode, Bruski, Duke, Linux0id, Mano Schwarz, Mch77, Peter Ferrie (well, at least that was what the email header said, hehe), Slage Hammer and Worf. Here is the code from the HTA file (this is a special version that has a few comments and unnecessary spaces were not removed): Temp